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(57) Abstract: Providing a user with assurance that a networked computer is secure, typically before completion of the log-in op- 
eration. This can be accomplished by extending the local log-in process to perform a host assessment of the workstation prior to 
requesting the user's credentials. If the assessment finds a vulnerability, the log-in process can inform the user that the machine is or 
may be compromised, or repair the vulnerability, prior to completion of the log in operation. By performing vulnerability assessment 
at the level of the workstation, a netwoik server is able to determine whether the workstation is a "trusted" platform from which to 
accept authentication requests. If the vulnerability assessment shows that the workstation is compromised, or if the possibility of 
remote compromise is high, the network server can elect to fail the authentication on the grounds that the workstation cannot be 
trusted. Optionally, a vulnerability assessment tool may be able to repair the vulnerability of the workstation, and then allow the 
authentication to proceed. 



wo 02/03178 



PCT/USOl/17275 



METHOD AND APPARATUS FOR NETWORK ASSESSMENT AND 

AUTHENTICATION 



5 FIELD OF THE INVENTION 

The present invention relates to network security for distributed 
computer systems and, more specifically, to granting network services and 
determining the level of supplied services based upon an assessment of the 
vulnerability of a network computer. 

10 

BACKGROUND OF THE INVENTION 

As use of network services becomes more prevalent in distributed 
computer networks, secure authentication of a computer user increases in importance. 
Authentication is required to prevent unauthorized use and abuse of network services, 

15 Authentication services typically require the user to verify his or her identity to the 
network service provider to determine whether that user is authorized to use a 
computer to access the network. 

An authorization mechanism defines who is allowed to do what on a 
computer. Two computer authorization mechanisms for typical operating systems are 

20 privileges and object access control. Users granted a specific privilege can perform 
an action that is denied to users who do not have the privilege. Typically, privileges 
are not evaluated on a per-object basis. Instead, a privilege is appUed in general to an 
action for a user. For example, the root user in most UNIX operating systems has a 
set of privileges associated with authorized actions. The "WINDOWS NT" operating 

25 system supports the grant of a set of privileges on a per-user or user group basis. 

When access control is required for a particular object, such as a file, a 
form of authorization other than a general privilege can be used to define a permission 
to access the object on a per user basis. Object access control can specify, for each 
object, different access permissions for different users. For example, on a UNIX 

30 system, the "chmod" command allows the user to specify read, write, and execute 
permissions for the owner, the group, and the world. The "WINDOWS NT" 
operating system uses a discretionary access list that grants control permissions for 
different users. 

Both authorization methods support the control of computer actions 
35 based on the identity of the user. The user's identity establishes the privileges and the 
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objects that she can access via a compute. Establishing fhe identity of the user is 
crucial to security and control in a computer network and is the role of the 
authentication process. 

There are three branches of authentication technology in conunon use 

5 today to assist verification of the identity of the user. Shared secret (password) 
technology is one; pubUc key technology is a second; and biometric technology is a 
third. Conventional authentication involves confirming the user's identity by (1) 
verifying a shared secret, such as a password, (2) using public4)rivate key encryption 
and verifyiag that the user knows the private key, or (3) using unique biometric 

10 information about the user, such as fingerprints, retinal patterns, or voice prints. All 
three technologies revolve around the fimdamental principle of credentials. A 
credential is information useful to establish the identity of a computer us^. An 
authenticating service requests credentials from the user to support a decision about 
the identity of the user based on the credentials. 

IS In many organizations and homes today, users operate a workstation, 

which makes requests for a network service available on a conq>utCT network. The 
workstation is important in authentication for two reasons. First, the workstation is a 
platform fi:om which the user can access resources, including network services, on the 
network. Users authenticate and connect to network services from then workstations. 

20 Second, the ^workstation can be silentiy compromised by an unauthorized party. A 
"silent" compromise is one that the user cannot easily detect without the aid of 
external security auditing tools. Silent compromise is typically accomplished by 
installing a compromise tool called a "root kit" or a **backdoor" on the workstation. 
For example, current "hackef* soflware can be used to obtain the customer's 

25 password by loggiag keystrokes or browser screenshots can be taken to intercept SSL- 
protected HTTP traffic. 

An intruder may compromise the integrity of a workstation, or a 
workstation may be misconfigured so that compromise is possible. The use of a 
network service may be compromised when a user accesses a network service from a 

30 compromised workstation. This subjects the network service to unauthorized use and 
abuse by the intruder on a valid user's workstation. 

The effect of a compromised workstation is the potential violation of 
security mechanism that assumes the workstation is "trusted", including password- 
based authentication and some forms of biometric authentication. Smart card 

35 authentication implementations also can be subverted if the workstation's Trusted 
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Computer Base is subverted. For example, a user's credentials, such as password and 
biometric credentials, can be stolen or rogue code can be executed that imp^onates 
the logged-on user. 

Host assessment and authentication is relevant to the Internet 

5 environment because most Web clients are currently desktop machines. These 
machines are capable of being compromised, and are jGrequent targets of 
compromising attacks. Some Web sites attempt to vmfy fbe security of the client 
host by p^orming a security assessment before allowing transactions from that host. 

For example, online banking appUcations are typically implemented by 

10 Web sites that aUow customers to view account balances and pay bills. Customers 
and insurers want assurances that only the customer can perform transactions, and that 
the transactions are confidential. Current techniques include password authentication 
to verify that only the customer has access to their account, and SSL or PCX 
encryption to verify that there is no **man in the middle" capable of intercepting the 

15 network traffic. 

In view of flie foregoing, there is a need for a way for verifying the 
integrity of the workstation prior to granting access to and determining the level of a 
network service. The present invention solves the security compromise problem by 
providing assurances to the Web site operator (and their insurer) that the user*s 

20 workstation has not been compromised or is easily compromised. The invention can 
accomplish this desirable objective by scanning the user's workstation for evidence of 
comproinise and vubierabilities that could lead to compromise. For example, when a 
user signs on to a Web site, the scan can be completed as part of the authentication 
process. 

25 

SUMMARY OF THE INVENTION 

The disadvantages of the prior art are overcome by the present 
invention, which can restrict access to a network service based on information about 
the integrity and security posture of the workstation that originates the service request. 

30 A network service receives a request for service jfrom a user on a workstation. Prior 
to authorizing access to the service, the network service requests or expects to receive 
credentials fi:om the user and/or the workstation. Workstation credentials are 
presented as part of the authentication process, and typically include information 
about the current integrity of the workstation, and the security posture of the 

35 workstation. The security posture typically includes data that indicates the potential 
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for the workstation to be compromised. The network service makes a decision about 
whether to process the service request based on the user credentials and/or the 
workstation credentials. If the network service decides to process the request, it may 
elect, based on the workstation credentials, to provide a degraded service that is 
consistent with tiiie perceived risk of workstation compromise. 

The present invention provides an authentication process that can 
refuse access by a workstation to a network service based on the integrity and security 
posture of the workstation that originates the service request. This inventive process 
can be integrated with other authentication processes, particularly user authentication 
processes, to enhance the security provided by the authentication process. This 
augments the authentication and authorization processes of existing network services. 

The present invention can also perform workstation assessments from 
multiple security perspectives, store the different results, use the assessments to grant 
or deny service access, and issue a report of these results to authorized users. The 
term "multiple security perspectives" means that workstation assessments may be 
performed at different network locations, and with different levels of access to the 
workstation by a workstation assessment service. 

More particularly described, the present mvention provides a network 
authentication system comprising an assessment service for assessing the 
vulnerabiUty of a workstation that can be connected to a network server. The network 
server provides network service(s) over a computer network and requires 
authentication to maintain secure operations. A workstation is assessed, either locally 
or over the network, for security vuhierabiUties. A workstation assessment service 
produces workstation credentials comprising integrity information and security 
posture information. Integrity information describes whether the workstation is 
compromised, while security posture information describes the workstation's 
potential for compromise, or security risk. The results of an assessment are compared 
to a workstation security policy to decide whether to allow network service and to 
define a level of network service to be supplied to the workstation. 

The workstation assessment service can be located on the workstation, 
thereby providing a local workstation assessment service. In the alternative, the 
workstation assessment service can operate on a network machine other than the 
workstation, thereby providing a network-based workstation assessment service. The 
network service, upon receiving the service request from a network client operating 
on a workstation, requests workstation credentials from a local workstation 
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assessment service on the requestiiig workstation or via the netwoik-based 
workstation assessment service. The network service can use a persistent store to 
cache workstation credentials and thereby prevent overly frequent reassessments of 
the workstation. 

S The workstation policy can be stored on a network server that hosts the 

network service. In the alternative, the workstation policy can be stored on a network 
server that is different from the server that hosts the network service. The workstation 
policy also can be stored on the workstation. 

Typical distributed computing environment includes a workstation and 

10 a network server, each coupled to a computer network. A network client operates on 
the workstation, whereas a network service operates on the network server. For a 
representative scenario, the network service can request workstation credentials from 
a local workstation assessment service operating on the workstation. In turn, a 
network client, as part of the network client authentication process, can transmit the 

15 workstation credentials to the network service. The network service processes the 
workstation credentials based on workstation policy and decides whether to allow 
service to the network client. 

For another aspect, the network service requests workstation 
credentials from a network-based workstation assessment service. In response, the 

20 network workstation assessment service provides workstation credentials to the 
network service to support the authentication process. The network service processes 
the workstation credentials and workstation policy to determine whether to allow 
service to a network client operating on the workstation. 

For yet another aspect, the network service can transmit a security 

25 challenge to the network client. In response, the workstation assessment service 
transmits a reply that allows the network service to verify that the workstation 
assessment service has completed an assessment. This challenge/response may be 
implemented by the transmission of a shared secret, such as a pseudo-random number. 
The response may be generated by a one-way-function (such as MD5 or SHAl) 

30 performed on a concatenation of the challenge, the shared secret, and the results of the 
workstation assessment. The network service verifies that a program with knowledge 
of the shared secret produced the results of the workstation assessment. The network 
service can *trust" the results of a workstation assessment based on a positive 
verification result. 
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The network service may utilize the results of the workstation 
assessment to provide a degraded level of service to the workstation. The service 
level corresponds with the results in the workstation assessment result set The level 
of service can be driven by a metric, such as a scalar score calculated by assigning a 

5 weight to each possible result, adding the weights for each result in the workstation 
assessment result set, and providing a score threshold for each possible level of 
service. If a score exceeds flie score threshold for a particular level of service, then 
that level of service may not be granted by the network service. In the altemative, a 
scalar score can be calculated based \xpon a weighted av^age of a vulnerability for a 

10 workstation, each vulnerability assigned a predetermined priority. Consequently, the 
level of service can be associated with any conventional metric. 

The service level also can be decided by utilizing techniques, such as 
artificial intelligence or expert systems, to make an intelligent analysis of the risk 
involved to the network service, service provider, and end user, given the workstation 

15 assessment results. For example, if a network service provides a service in distinct 
facets, each service facet may make a determination about degree of service provided, 
utilizing the results of the workstation assessment. When a network service provides 
data transport for network services, each higher-level network service may make a 
determination about the service level to be provided, utilizing the results of the 

20 workstation assessment, as provided by the data transport service. 

In view of the foregoing, it will be understood that the present 
invention can grant access to the network services and determine the level of supplied 
services based upon an assessment of the vulnerability of a workstation coupled to a 
computer network. The advantages and implementation of the present invention will 

25 be described in more detail below in connection with the detailed description, the 
drawing set, and the attached claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram illustrating the primary components of a 
30 network security system, iacluding a local workstation assessment service on a 
workstation, in accordance with an exemplary embodiment of the present invention. 

Figure 2 is a logical flowchart diagram illustrating an authentication 
process in accordance with an exemplary embodiment of the present invention. 
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Figure 3 is a diagram showing interactions between a workstadon 
having a local workstation assessment service and a network serv^ having a network 
service in accordance with an alternative embodiment of the present inventioiL 

Figure 4 is a diagram illustrating a network security system including a 
5 workstation having a local workstation asses^^t service and a workstation security 
policy for completing a local aufheatication decision in accordance with an exemplary 
embodiment of the present invention. 

Figure 5 is a block diagram illustrating the primary components of a 
security system including a workstation assessment service co-located with a network 
10 service in accordance with an exemplary embodiment of the present invention. 

Figure 6 is a diagram showing interactions between a workstation, 
network server, and network workstation assessment server of a network security 
system in accordance with an exemplary embodiment of the present invention. 

Figure 7 is a diagram showing interactions between a browser and a 
15 Web server in a Web-based security system in accordance with an exemplary 
embodiment of the present invention. 

Figure 8 is a diagram showmg multiple security perspective 
assessments invoked by network server through a workstation assessment proxy 
service in accordance with an exemplary embodiment of the present invention. 
20 Figure 9 is a diagram showing interactions between a workstation 

having a local workstation assessment and a network server having a network service 
in accordance with an exemplary embodiment of the present invention. 

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS 

25 In environments where computers are shared, users want an assurance 

that the computer they are logging-in to is secure, before completion of the log-in 
operation. This can be accomplished by extending the local log-in process to perform 
a local host assessment of the workstation prior to requesting the user's credentials. If 
the assessment finds a vulnerability, the log-in process can inform the user that the 

30 machine is or may be compromised, or repair an identified vulnerabiUty, prior to 
completion of the log-in operation. 

By performing vuhierability assessment at the level of the workstation, 
the network server is able to determine whether the workstation is a "trusted" 
platform fi:om which to accept authentication requests. If the vulnerability assessment 

35 shows that the computer is compromised, or if the possibiUty of remote compromise 
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is high, the network server can deny authentication because the workstation cannot be 
trusted. Optionally, a vuhierability assessment tool may be able to repair the 
vuhierabiUty of the workstation, thereby allowing the authentication to proceed. 

For example, corporations that implement Virtual Private Networks 
5 (VPNs) typically allow people physically located outside corporate facilities access to 
the corporate network. While corporate computer systems staff can secure the 
machines physically located in corporate facilities, fhey cannot control machines 
located outside corporate boundaries. These external machines present a security risk. 
Even if the users of the external machines are benevolent, the machines may have 

10 been compromised silently. If this h£^p@as, the intruder on the extemal machine may 
use the VPN coimection as a stepping-stone to unauthorized use of the corporate 
network. This risk can be addressed by extending the log-in process to include 
vuhierability assessment of the extemal host. If the vuhierability assessment fails, the 
extemal host is not allowed to connect to the network and the user of the external host 

15 is notified of the security risk. Another alternative is to automatically address the 
vulnerability (with the user's approval) by repairing an identified vuhirarabiUty, prior 
to completing the VPN log-in process. This technology can also be used to secure 
dial-up networking. The dial-up networking authentication process can be extended 
to include vuhierability assessment of the dial-in host. 

20 As used in the description herein and throughout the claims, the 

following terms take the meanings e3q)Ucitly associated herein, unless the context 
clearly dictates otherwise: the meaning of "a", "an", and "the" includes plural 
references, the meaning of "in" includes "m" and "on." Also, as used herein, "global 
computer network" includes the Internet. A '"network service" mcludes any service 

25 that is made available over a distributed computer network. Exraiplary embodiments 
of the invention are now described in detail in coimection with the drawings. 
Referring to the drawings, like numbers indicate like parts throughout the views. 

Figs. 1 and 2 illustrate a client-invoked vulnerability assessment of a 
workstation in which the workstation credentials are gen^ted locally at the 

30 workstation. In other words, the vuhierability assessment is invoked at the client and 
the assessment is completed by a local workstation assessment service on the 
workstation. As shown in Fig. 1, an exemplary network security system 100 
comprises a workstation 115 operating a local workstation assessment service in a 
network environment including a distributed computer network 125 and a network 

35 server 120. A network cUent 130 retrieves workstation credentials, typically 
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including workstation integrity information and workstation security posture 
information, from the local workstation assessment service 135 on the workstation 
115. The local workstation assessment service 135 generates the workstation 
credentials by completing a local examination of the workstation 115. The network 
5 client 130, which also resides on the workstation 115, presents these credentials to a 
network service 140 on the network server 120 during an authentication process. The 
network service 140 decides whether to provide service to the workstation 1 15 via the 
network 125 based on the workstation credentials. Specifically, the network service 
140 completes this decision-making process by evaluating the workstation against a 

10 workstation seciirity policy. This allows the network service 140 to determine the 
extent to which the workstation 115 compUes with its security policy. The network 
service 140 typically uses a policy compliance measurement to decide what, if any, 
service level to be the supplied to the workstation 115. 

Turning now to Fig. 2, a logical flowchart diagram presents an 

15 illustration of the sequmce of exemplary steps completed by an authentication 
process in connection with the local workstation assessment service in Fig. 1. The 
authentication process is invoked at the client and the assessment is completed by the 
local workstation assessment service residing on the workstation. The exemplary 
authentication process 200 begins in step 205 in response to a user initiating a log-in 

20 operation on a workstation coupled to a computer network. The workstation includes 
a local workstation assessment service maintained in memory to support the local 
generation of workstation credentials. The local workstation assessment service can 
generate the workstation credentials by completing vulnerability assessment of the 
workstation. In step 210, a network client residing on the workstation retrieves the 

25 workstation credentials from the local workstation assessment service. In addition, 
the network client can obtain user credentials in stqp 215 from a user credential 
database. The network client can provide both the workstation credentials and ttie 
user credentials to a network service via a computer network. The network service 
operates on a network server and is operative to determine whether to provide service 

30 to a workstation coupled to the computer network based upon workstation credentials. 
In step 220, the network service accesses a workstation security policy to support a 
determination of whether to provide service to the requesting workstation. In a 
separate decision-making process, the user credentials can be compared to a user 
credential database to fiirther support secure computing operations. 
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The network service corapletes an authentication decision in step 225 
by ^plying the workstation credentials to the workstation security policy. In the 
event that the credentials satisfy the workstation security policy, ttie network service 
permits operation of the requested service by the workstation in step 230. If the 

5 credentials satisfy only a portion of the workstation security policy, the network 
service can elect to allow the workstation to access a degraded level of service, as 
shown in step 235. On the other hand, the network service can elect to deny service 
to the workstation, as shown in step 240. 

Fig. 3 provides an illustration of another alternative exemplary network 

10 security system for a computer network comprising one or more workstations and a 
network server. Similar to Figs. 1 and 2, Fig. 3 illustrates a client-invoked 
vulnerability assessment witfi a local assessmrat of the workstation. A workstation 
305 comprises a network cUent 310 and a local workstation assessment service 315. 
The network server 320 maintains one or more network services 325. Each 

15 workstation 305 can access the network service 325 via a distributed computer 
network. Prior to a service request, the network chent 310 issues a request for 
workstation credentials to initiate an authentication process. In response, the local 
workstation assessment service 315 completes the vuhierability assessment of the 
workstation 305 and returns workstation credentials to the network client 310. In this 

20 manner, the workstation assessment is completed by a local assessment service 
operating on the host computer rather than by a server-based assessment service 
operable to complete a remote scan of the workstation. 

The network client 310 can transmit the workstation credentials and/or 
user credentials to the network service 325 via the distributed computer network. A 

25 typical authentication process is completed by evaluating credentials for a 
workstation. The network service 325 accesses a workstation security policy to 
evaluate the workstation credentials and to determine the level of service, if any, to be 
provided to the workstation 305. The workstation security policy can be maintained 
on the network server 320 or on a separate server, such as a network policy server or a 

30 directory server. The network service 325 can determine whether to allow the 
workstation 305 to access a network service based upon a comparison of the 
workstation security policy to the workstation credentials. The network service 325 
notifies the network client 310 of the authentication results generated by a comparison 
of the workstation security policy to the workstation credentials. Although the 

35 exemplary network security system 300 completes a local assessment of the host 
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computer, the authentication decision is completed by a separate computer on the 
distributed computer network, namely the network server 320. 

Fig. 4 illustrates an exemplary network security system 400 that makes 
a local authentication decision based on a vufaierability analysis completed on the host 

5 workstation. The network security system 400 operates in a traditional cUent-server 
environment to support the delivery of network services to a client via a remote 
server. The client invokes the vulnerability assessment, which results in a local 
assessment of the woricstalion to support an authentication decision at the client 
workstation. A workstation 405 has a local workstation assessment service 41 S and a 

10 workstation security policy 420. The workstation 405 further includes a network 
client 410, which can be connected a network 425, such as the global Internet. A 
network server operating a network service 435 is also coimected the network 425. 

The network client 410 queries the local woikstation assessment 
service 415 for workstation credentials. The network client 410 completes a policy 

15 compliance measurement by using the workstation security policy 420 and the 
workstation credentials. The network client 410 can then decide whether to use 
traditional user authentication with the network service 435. Other options include 
storing the workstation policy on a separate server and caching the workstation 
credentials on the network server. In this manner, there is no requirement to assess 

20 the workstation for each service request 

Fig. 5 illustrates an alternative exemplary network security system 500 
for network service authentication comprising a network workstation assessment 
service resident at a network server. The architecture of the exemplary network 
security system of Fig. 5 is based upon a vulnerability assessment invoked by a 

25 network service and an assessment completed at the network server rather than at the 
local workstation. In contrast, the workstation assessm^t service operates on the host 
or local workstation in the exemplary network security system 100 of Fig. 1 . Turning 
now to Fig. 5, a network client 530, operating on a workstation 515, presents user 
credentials and a request for service to a network server 520 via a distributed 

30 computer network 525. A network service 540, resident on the network s^er 520, 
requests workstation credentials from a network workstation assessment service 535. 
This service may reside on the network server 520, as shown in Fig. 5, or on another 
server (not shown) connected to the network 525. The network workstation 
assessment service 535 generates the workstation credentials by remotely examining 

35 the workstation 515 for actual or potential vulnerabilities to security violations. In 
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turn, the network service 540 can evaluate the workstation 515 by comparing the 
workstation credentials against a workstation security policy. Based upon this 
evaluation, the network service 540 will determine the level of service, if any, to be 
provided via the network 525 to the workstation 515. For example, if the network 

5 service 540 decides to allow service to the workstation 515, the network servCT 520 
delivers the service via the network 525 for use by the network client 530. 

An alternative exemplary network security system is shown in Fig, 6. 
The exemplary network security system supports a network service-invoked 
vulnerability assessment of a client workstation where the network workstation 

10 assessment service is operating on a server other than the network serv^ providing 
the network service. Turning now to Fig. 6, the exemplary network security system 
600 comprises a workstation 605, a network server 610, and a network workstation 
assessmait server 615, each connected to a distributed computer network, such as the 
global Intemet or an intranet. To obtain a service from the network server 610, a 

15 workstation 605 issues a request for service to the network server 610 via the 
distributed computer network. In response, a network service operating on the 
network server 610 issues a request for a workstation assessment. The network 
workstation assessment server 615 responds to the workstation assessment request by 
remotely completing a workstation assessment of the workstation 605 via the 

20 distributed computer network. The workstation assessment comprises a scan of the 
workstation 605 to identify possible security vulnerabilities of that computer and 
generates security credentials for the workstation 605. The network workstation 
assessment server 615 can send ttie workstation credentials to the network server 610 
via the distributed computer network. In turn, the network server 610 compares the 

25 workstation credentials to a workstation security policy and decides whellier to allow 
the workstation 605 to access the service available on the network server. 

The exemplary network security system illustrated in Fig. 6 is similar 
to the network security system shown in Fig. 5, v^th the exception that the network 
workstation assessment service is operating on a server other than the network server 

30 providing a network service. In other words, the network server 610 in Fig. 6 is not 
responsible for completing an assessment of the potential vulnerabilities of the 
workstation requesting access to network service. Instead, the network server 610 
relies upon a workstation assessment service operating on a separate server, the 
network workstation assessment server 615, to complete a remote scan of the 

35 workstation 605 via the distributed computer network. The network service operating 
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on the network server 610 uses the scan results provided by the network workstation 
assessment server 615 to determine whethCT to provide a partictilar service level to the 
requesting workstation 605. 

An exemplary process 700 for Web-based network service 
authentication relying upon browser-based technology is shown in Fig. 7. Turning to 
Fig. 7, the process 700 is initiated by a browser 705, which operates on a workstation, 
requesting a log-in page from a Web server 710 via a distributed computer network, 
such as the Intemet. The Web server 710 provides a service that requires 
authentication and log-m of a requesting workstation. The Web s^er 710 transmits 
a workstation assessment agent, which may be a Java applet, ActiveX control, 
browser plug-in, or other Web-based executable content, to the Web browser 705 ui 
response to the log-in-request. Once installed at the browser 705, the workstation 
assessment agent generates workstation credentials based on a local examination of 
the workstation. For example, if the workstation assessment agent is implemented as 
a browser plug-in, the plug-in operates within the browser environment to complete a 
scan of the host computer. The results of this vulnerabiUty scan represent workstation 
credentials. For the representative example shown in Fig. 7, the workstation 
assessment agent is implemented by a browser plug-in 705'. 

The workstation assessment agent, i.e., the browser plug-in 705', 
transmits the workstation credentials to the Web server 710 via the computer network. 
An application on the Web server 710, typically a Web server CGI 715, compares the 
workstation credentials to a workstation security policy to decide whether the 
workstation is secure. Service by the Web server 710 is allowed if the Web server 
CGI 710 determines that the workstation is secure and the Web server 710 
authenticates the user. If the Web server CGI 715 decides to contmue, and the Web 
server 710 has not akeady authenticated the user, the server may now begin the user 
authentication process. There is a benefit to authenticating the user after completing a 
vulnerability analysis of the workstation - it is more difficult for an intruder to steal a 
user's credentials if the intrusion is detected and the user authentication process is 
terminated before the user presents their credentials. 

Table I provides an overview of the primary network service 
authentication tasks completed for the Web-based operating environment of a 
workstation assessment agent operating on a workstation and a Web server, as shovm 
in Fig. 7. The workstation assessment agent completes vulnerability assessment tasks 
and transmits the assessment results to the Web server. In turn, the Web server 
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determines whether to provide a network service to the workstation based on the 
assessment results. 

Table I 

5 L The user of a workstation requests a log-in 

page from a Web server, typically by clicking a button or 
link on a Web page to begin the authentication process. 

2. A browser, operating at the workstation, 
loads a host authentication page. The host authentication 

10 page contains a browser plug-in representing a workstation 

assessment agent. 

3. The browser plug-in performs a host 
assessment scan of the workstation. 

4. The browser plug-in sends the scan results 
15 via a secure link to a CGI script on the Web server. 

5. The CGI script uses the scan results to 
decide whether to grant the host access to a network service 
at the Web server. 

6. If the host is granted access, the CGI script 
20 redirects the browser to the next step in the authentication 

process, namely user autbentication. If the host is denied 
access, the CGI script redirects the browser to a page that 
explains why the host cannot be granted access to the Web 
server. This page also describes what the user can do to 
25 bring the host into compUance so that access will be 

granted. 

The exemplary Web-based process shown in Fig. 7 is supported by two 
separate components: (1) the browser plug-in 705' that performs the workstation 

30 assessment; and (2) the CGI script 715, which evaluates the scan assessment results 
and determines whether the host satisfies authentication requirements. The browser 
plug-in and the CGI script are representative embodiments of software routines that 
operate on the workstation and the Web server, req)eotively. The workstation 
assessment service is provided by the browser plug-in and implemented by a variety 

35 of different software routines, including a Java applet or an ActiveX control 
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Likewise, the network service implemented by the CGI script can be implemented by 
other conventional Web-based executable software programs. Consequently, it will 
be understood that the present invention is not limited to a particular Web-based 
implementation, such as the rq)resentative exemplary embodiment illustrated in Fig. 
5 7. 

The workstation assessment agent, implemented as a browser plug-in 
705*, has two main functions: host asses^ent and communication of workstation 
assessment results. The host assessment is completed to detennine whether the host is 
compromised. The browser plug-in 705' runs a series of checks, each looking for a 

10 particular security risk. Each check generates a scan result, which indicates whether a 
vuhierability risk is present at the workstation. The browser plug-in 705' then 
prepares assessment results for transmission to the Web server. 

The browse plug-in 705' communicates the assessment results to the 
CGI script 715 operating on the Web servCT 710. This communication is preferably 

15 completed in a secure mamier, between the workstation and the Web server, so that 
results cannot be intercepted by a third party. The communication also should be 
secure in such a way as to prevent the transmission of false information to the CGI 
script 715. This can be accomplished by the use of authentication or encryption 
technologies 

20 For example, the communication between the browser plug-in 705' and 

the CGI script 715 can be completed by sending an HTTPS GET request with 
vuhierability assessm^t results stored as parameters of the GET request. The 
browser plug-in 705' g^erates a URL that uses HTTPS for confidentiality and 
contains the scan results as parameters. These parameters can be obfiiscated by using 

25 shared secret encryption to prevent reverse engineering of the communications 
chaimel and to insure transmission only to appropriate servers. 

The CGI script 715 receives scan results ftom Web clients, and 
decides, based on the results, whether to continue the authentication process. The 
script 715 responds to the scan results by redirecting the Web client, i.e., the 

30 workstation, to one of two different Web pages based on this decision. If the script 
715 decides to allow authentication to continue, it redirects the browser 705 to a page 
that continues or completes the log-on process. If the script 715 decides to deny 
access, it redirects the browser 705 to a page that explains that service access is 
denied, why access is denied, and what can be done to obtain access to the requested 

35 service. 
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The CGI script 715 is preferably capable of receiving encrypted data 
comprising scan results from the browser plug-in 705', decrypting the data, and 
making a decision based on the results. The script 715 can assign a score to each 
different vulnerability identified by the browser plug-in 705'. When all results are 
5 received from the browser plug-in 705*, the script 715 calculates a total score by 
adding the score assigned to each vuhierabiUty. The total score is then compared by 
the script 715 against a maximum allowable score. If the total score is less than or 
equal to the maximum allowable score, authentication is allowed to proceed. If the 
total score is greater than the maximum allowable score, access by the browser 705 to 

10 the Web server 710 is denied by the script 715. 

The Web-based design illustrated in Fig. 7 requires the server to 
decide, based on security assessment information from the client, whether or not to 
grant access, or possibly grant restricted access to a client workstation. In the 
alternative, the client can make that decision, given sufficient decision-making 

15 information from the server. For example, a browser operating on a workstation can 
issue a request for a log-in page to a network server. In response, the network server 
can transmit the log-in page, an authentication plug-in, and a workstation policy to the 
workstation via the computer network. The authentication plug-in is installable 
within the browser and operative to gmerate workstation security credentials by 

20 completmg a vulnerability assessment of the workstation to identify security 
vulnerabilities that would compromise the secure operation of the workstation on the 
computer network. The workstation security credentials can be compared to the 
workstation policy on the workstation to determine whether the workstation should be 
granted access to a software service of the network. 

25 In most web service contexts, the result of a decision-making process 

for determining whetihter to grant access by a client to a network service can be 
e3q)ressed as making a choice between URL's. If the decision comes out one way, the 
browser points to one URL. If it comes out another way, the browser points to a 
different URL. This can be accomplished on the server side by instructing the client 

30 to submit scan information to the server, and having the server redirect the client to 
the appropriate URL after makmg the service access decision. 

The client's decision-making procedure typically involves three types 
of information: vulnerability weights, used to calculate a host score based on found 
vuhierabilities, a **max score", used to gate service, and two URLs, one for passmg 

35 scores and one for failing scores. If the host's score exceeds the max score, the host is 
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not granted access, and is redirected to the URL for failing scores. If the host's score 
is less than or equal to the max score, the host is allowed access, and is redirected to 
the URL for passing scores. 

A network server can send vulnerability weights, max score, and URLs 
5 to the client, thereby allowmg the client to calculate the host score, compare it to the 
max score, and redirect the browser to the appropriate URL, This delivery of 
information to the client via the computer network can be completed without 
compromising the consumer's privacy. However, if the URLs are transmitted to the 
client without protection, the consumer could intercept the transmitted URL and 

10 thereby circumvent the process. 

By authenticating the control or plug-in transmitted to the web server, 
a veriiBcation can be completed so that only the control (or someone who knows the 
shared secret embedded within it) can request the "success" URL successfully. 
Assume that the "success" URL is actually the URL of a web script and that a crypto 

15 "challenge" is generated and passed to the control along with the URLs, The control 
can use this challenge, along with a shared secret known only to the control and the 
"success" URL web script, to graerate a crypto **response". 

Instead of redirecting the browser directly to the web saipt, the control 
can redirect the browser to the web script and pass the crypto '^response" to the script 

20 (typically by simply appending it to the end of the URL). If the crypto '^response" 
does not match the crypto "challenge" that was sent to the control, the script could 
redirect the browser to the "failure" URL. This way, only those with knowledge of 
the shared secret (pref^ably only the control) can request the "success" URL and gain 
access. This client-based design requires the control to make the network service 

25 access decision, instead of sending information from the browser-based control to 
support a decision by the web server. 

Fig. 8 illustrates an exemplary network security system having a 
workstation assessment proxy service for processing workstation assesanent results. 
The exemplary network security system supports a vuhierability assessment invoked 

30 by a network service and a workstation assessment completed via a proxy service 
typically operating on a proxy server. As shown in Fig. 8, a network workstation 
assessment proxy s^ce 815 collects workstation assessment information from a 
variety of sources with security perspectives at the request of a network service 810 or 
a network client 820. This proxy service 815 communicates with different 

35 workstation assessment services, combines the assessnient results, and returns the 
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results to the network service. The different workstation assessment services can 
reside, for example, on a local workstation, on the Internet, on a LAN, or on a WAN. 
The assessment results can be cached in storage for subsequent use. These 
workstation assessment services provide assessments of Hie workstation that show 

5 security weaknesses visible for a particular level of authentication (i.e. adnunistrative 
access, guest/anonymous access, normal user level access, etc.). This information can 
be used by the network service 810 to form a more complete estimate of the 
workstation's security posture and risk profile. 

The exemplary network security 800 operates in a distributed 

10 computing environment comprising a workstation 805, a network service 810, a 
workstation assessmrat proxy service 815, a LAN-based network assessment service 
830, and an Memet-based network assessment service 835. The distributed 
computing environment can include one or more workstations 805, each including a 
network client 820 and a local workstation assessment service 825. An authentication 

15 process is initiated in response to network cKent 820 generating a service request via 
the distributed computer network. The network service 810 responds to the service 
request by issuing a workstation assessment request to the workstation assessment 
proxy service 815. In tum, the workstation assessment proxy service 815 will issue 
multiple assessment requests to a variety of assessment services to evaluate the 

20 potential vuhierability of the workstation 805. 

For example, the workstation assessment proxy service 815 can issue a 
local assessment request to the local workstation assessment service 825 via the 
distributed computing networL In addition, the workstation assessment proxy service 
815 can issue a network assessment request to both the LAN-based network 

25 assessment service 830 and the Intemet-based network assessment service 835. Each 
assessment service completes a scan of the workstation 805 and returns assessment 
results to the workstation assessment proxy service 815 via the distributed computing 
network. 

In tum, the workstation assessment proxy service 815 can combine the 
30 assessment results and transmit the combined assessment results to the network 
service 810 via the distributed computer network. The network service 810 applies a 
workstation security policy to the combined assessment results to determine the level 
of service, if any, to be provided to the requesting workstation 805. The workstation 
security policy can be maintained on the network server hosting the network service 
35 or a separate server, such as a network policy service or a directory server. The 
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network service 810 notifies the network client 820 of tiie authentication results via 
the distributed computing network. 

Another alternative exemplary network security system is shown in 
Fig. 9. The exemplary network security system supports a vulnerability assessment 

5 invoked by a network service and an assessment completed at the local worktation. 
The exemplary network security system 900 comprises a workstation 905 and a 
network server 910, each connected to a distributed computer network, such as the 
Internet or an intranet. The workstation 90S includes a network client 915 and a local 
workstation assessment service 920. The network server 910 includes one or more 

10 network services 925. To obtain a service from the network server 910, the network 
client 915 issues a service request to the network server 910 via the distributed 
computer network. In response, the network service 925 generates a request for an 
assessment of the workstation 905. The local workstation assessment service 
operating on the workstation 905 responds to the assessment request by completing a 

15 vulnerability scan of the workstation 905 and generating workstation credentials. In 
turn, the local workstation assessment service 920 transmits the workstation 
credentials to the network service 925 via the distributed computer network. The 
workstation credentials represent an evaluation of workstation integrity and security 
posture. 

20 The network service 925 assesses a workstation security policy, 

typically maintained at the network server 910, to evaluate the workstation 
credentials. Specifically, the network service 925 compares the workstation 
credentials to the workstation security policy to determine the level of service to be 
provided, if any, to tiie workstation 905. Although the workstation security policy is 

25 preferably maintained on the network server 910, it will be appreciated that the 
security policy also can be maintained on a separate server, such as a network policy 
servOT or a directory server. Based upon the evaluation of workstation credentials, the 
network service 925 issues a message to notify the network client 915 of the service 
level to be provided by the network service 925. 

30 Iq view of the foregoing, it will be appreciated that an authentication 

process can be implemented at a Web server, which evaluates the access of a Web 
service by a workstation based on workstation credentials (security posture and 
integrity information). The user can not log-on to the Web service unless the 
workstation's security posture and integrity comply with the Web service's security 

35 policy. Alternately, the user receives a level of access appropriate to the degree of 
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compliance of fhe workstation's security posture and integrity with the Web service's 
security policy. 

AltOTiatively, an authentication process can be implemented by a 
netwoik coimection. This prevents a workstation &om joining a network without 

5 presenting workstation credentials for ^proval. This authentication process can be 
used when a workstation coimects to a VPN or to a Microsoft Windows Domain. 

The authentication process also can be implemented as an extension to 
an extensible authentication process, such as GSSAPI or Microsoft SSPI. Any 
network service that uses the extensible authentication process can validate the 

10 security of the workstation. 

The authentication process can be implemented on a dial-up 
networking server. When a client dials up, the dial-up server validates the 
workstation credentials of the dialing up workstation, and decides whether to allow 
the call to continue or to allow degraded access to the dial-up services. 

15 The present invention includes a Web-based system can be used for 

gathering, storing and presenting workstation assessment results. This system 
performs workstation assessments fiom multiple security perspectives, and stores the 
results in a database server. Authorized parties may later retrieve these results by 
connecting to the Web server. The Web server operates a Web application that grants 

20 access to the data in the database for each workstation, and provides Web reports to 
authorized parties. Because the system stores workstation assessment results from 
multiple network location and authentication perspectives, it is capable of presenting a 
comprehensive view of workstation security posture. This comprehensive view can 
include internal and external assessments of fhe workstation. 

25 The present invention is directed to network security for distributed 

computer systems, including the client-server computing enviromnent. Those skilled 
in the art will appreciate that a server can operate as a client in a server-to-server 
environment. In other words, the first server can be a "client" of another server in the 
distributed computer network. This being the case, the role of the "workstation" 

30 described throughout this document can be fulfilled by a server that is requesting 
access to a network service. Thus, that server would then be assessed via the 
workstation assessment process during the authentication process. Typically, when 
one server connects to another server, user credentials, if required, are provided by a 
computer program or process rather than by a computer user. This use of user 

35 authentication and credentials for allowing access by a computer program or process 
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follows the same purpose and method as that of a computer user and, as such, fits 
within the confines of user authentication as described in this document. Moreover, a 
client can be implemented by a conventional desktop computing device, a mobile 
computing device, and other computing platforms, such as browser-enabled telephony 

5 devices and personal digital assistants (PDAs), 

Significantly, the preset invention can complete a vulnerabiHty 
analysis of a workstation prior to completion of an authentication of the user of that 
workstation. A vulnerabiUty analysis for the workstation is completed prior to usct 
aulhentication because it is more diflBcult for an intruder to steal a user's credentials if 

10 the intrusion is detected and the user authentication process is terminated before the 
user presents their credentials to the workstation. Consequently, user credentials are 
preferably compared to a user credential database, which is typically maintained on a 
server separate firom the workstation, only after completion of a vuhierability analysis 
of the workstation. Those skilled in the art will appreciate, however, that a 

15 vulnerability analysis of the workstation can also be completed after user 
authentication has been successfully completed. For example, the vulnerability 
assessment can be completed after user authentication and prior to substantive 
operation of a network service at the workstation. 

The above-described embodiments are presented as illustrative 

20 examples. It will be readily appreciated that deviations may be made firom the 
specific embodiments disclosed in this specification without departing from the 
invention. Accordingly, the scope of this invention is to be determined by the claims 
below rather than being limited to the specifically described embodiments above. 
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CLAIMS 

What is claimed is: 

5 1. A computer-implemented process for authenticating a 

workstation requesting a network service from a network server via a computer 
network, comprising the steps: 

generating workstation security credentials by completing a 
vulnerability assessment of the workstation to identify security vuhierabihties that 
10 would compromise the secure operation of the workstation on the computer network; 

comparing the workstation security credentials to a workstation 
security policy to determine whether Ihe workstation should be granted access to the 
network service; and 

authorizing access to the network service by the workstation if 
15 the workstation security credentials satisfy the workstation security policy, otherwise 
denying access to the network service by the workstation. 

2. The computer-implemented process recited by Claim 1 further 
comprising the step of authorizing access to a predetermined level of the network 

20 service if the workstation security credentials satisfy a portion of the workstation 
security policy, 

3. The computer-implemented process recited by Claim 1, 
wherein the step of generating the workstation security credentials comprises 

25 completing the vulnerabiUfy assessment of the workstation by a local workstation 
assessment service maintained on the workstation, the local workstation assessment 
service operative to generate the workstation security credentials. 

4. The computer-implemented process recited by Claim 3, 
30 wherein the workstation security policy is maintained on the workstation, the process 

fiirther comprising the step of providing the workstation security credentials from the 
local workstation assessment service to the workstation security policy. 
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5. The computer-implemented process recited by Claim 1, 
wherein the step of generating the workstation security credentials comprises 
completing the vulnerability assessment of the workstation by a network workstation 
assessment service maintained on the network server, (he network workstation 

5 assessment service operative to generate the workstation security credentials. 

6. The computer-implemented process recited by Claim 5, 
wherein the workstation security poUcy is maintained on the workstation, the process 
furiher comprising the step of providing the workstation security credentials from the 

10 network workstation assessment service to the workstation security policy on the 
workstation via the computer network. 

7. The computer-implemented process recited by Claim 1, 
wherein the step of generating the workstation security credentials comprises 

15 completing the vulnerability assessment of the workstation by a network woiistation 
assessment service maintained on an assessment server coupled to the computer 
network, the assessment server operating as a remote server different from the 
network server, the network workstation assessment service operative to generate the 
workstation security credentials. 

20 

8. The computer-implemented process recited by Claim 7, 
wherein the workstation security policy is maintained on the network server, the 
process further comprising the steps of: 

transmitting the workstation security credentials from the 
25 network workstation assessment service on the assessment server to the network 
service on the network server via the computer network; and 

comparing at the network server the workstation security 
credentials to the workstation security policy to determine whether the workstation 
should be granted access to the network service. 

30 
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9. The computer-implemented process recited by Claim 8 further 
comprising the step of communicating a service decision from the network server to 
the workstation via the computer network, the service decision defining whether the 
workstation is allowed to access Ihe network service or a degraded form of the 
network service, 

10. The computer-implemented process recited by Claim 1, 
wherein the step of generating the workstation security credentials comprises 
conq)letmg the vuhierability assessment of the workstation by the network service on 
the network server in response to receiving a request for the network service from the 
workstation via the computer network. 

IL The computer-implemented process recited by Claim 10, 
wherein the workstation security policy is maintained on the network server, the 
process ftirther comprising the step of comparing at the network server the 
workstation security credentials to the workstation security policy to determine 
whether the workstation should be granted access to the network service or a 
degraded form of the network service. 
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12. A network security system for authenticating a workstation 
requesting a network service from a network server via a computer network, 
comprising: 

a local workstation assessment service, operative on the 
workstation, for generating workstation security credentials by completing a 
vulnerability assessment of the workstation to identify security vulnerabilities that 
would compromise the secure operation of the workstation on the computer network; 
and 

a workstation security policy, operative on the workstation, for 
defining security policy requirements for secure operations by the workstation; 

the local workstation assessment service further operative for 
comparing the workstation security credentials to the workstation security policy to 
determine whether the workstation should be granted access to the network service, 

the local workstation assessment service further operative to 
authorize access to the network service by the workstation if the workstation security 
credentials satisfy the workstation security policy. 
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13. A network security system for auflxenticating a workstation 
requesting a network service from a network server via a computer network, 
comprising: 

a local workstation assessment service, operative on the 
workstation, for generating workstation security credentials by completing a 
vulnerability assessment of the workstation to identify security vuhierabilities that 
would compromise the secure operation of the workstation on the computer network; 
and 

a netwoik service, operative on the network server, for 
determining whether the workstation should be granted access to a software service of 
the network service in response to receiving the workstation security credentials via 
the computer network. 

14. The network security system recited by Claim 13 further 
comprising a workstation security policy at the network server, the workstation 
security policy operative to define security requirements for secure operation of the 
workstation on the computer network. 

15. The network security system recited by Claim 14, wherein the 
network service is further operative for comparing the workstation security credentials 
to the workstation security policy to determine whettier the workstation should be 
granted access to the software service, the network service operative to authorize 
access to the software service by the workstation if the workstation security 
credentials satisfy the workstation security policy. 
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16. A network security system for authoiticating a workstation 
requesting a network service ftom a network server via a coiiq)utCT network, 
comprising: 

the networic service operative to generate workstation security 
5 credentials by completing a vulnerability assessment of the workstation to identify 
security vulnerabilities that would compromise the secure operation of the 
workstation on the computer network; 

the network service further operative to determine whether the 
workstation should be granted access to a software service of tiie network based on 
10 the workstation security credentials. 

17. The network security system recited by Claim 16 further 
comprising a workstation security policy at the network servCT, the workstation 
security policy operative to define security requirements for secure operation of the 

15 workstation on the computer network. 

18. Ihe network security system recited by Claim 17, wherein the 
network service is further operative to compare the workstation security credentials to 
the workstation security policy to detranine whether the workstation should be 

20 granted axxjess to the software service, the network service operative to authorize 
access to the software service by the workstation if the workstation security 
credentials satisfy^ the workstation security policy. 
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19. A coniputer-iinplem^ted process for authenticating a 
workstation requesting a network service fiom a network server via a computer 
network, comprising the steps: 

issuing a request for a log-in page to a network server firom a 
browser operating on the workstation; 

transmitting the log-in page and an authentication plug-in from 
the network server to the workstation via the computer network, the authentication 
plug-in installable within the browser and operative to generate workstation security 
credentials by completing a vulnerability assessment of the workstation to identify 
security vulnerabilities that would compromise the secure operation of the 
workstation on the computer network; 

transmitting the woricstation security credentials from the 
authentication plug-in to the network server via the computer network; and 

determining at a CGI script operating on the network server 
whether the workstation should be granted access to a software service of the network 
based on the workstation security credentials. 

20. The computer-implemmted process recited by Claim 19 
wherein the step of determining whether the workstation should be granted access to 
the software service comprises the step of the CGI script comparing the workstation 
security credentials to a workstation security poUcy maintained at the network server 
to determine whether the workstation should be granted access to the software 
service; 

if the workstation security credentials satisfies the workstation 
security policy, then authorizing access to the software service and directing the 
browser to the log-in page via the computer network, 

otherwise, denying access to the software service and 
delivering an access denied page to the workstation via the computer network. 
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21. A network security system for authenticating a workstation 
requesting a network service operating on a network server via a computer network, 
comprising: 

a network assessment service operating on a network 
5 workstation assessment server on the computer network, the network assessrnent 
service operative to generate workstation security credentials by completing a 
vuhierability assessment of the workstation via the computer network to identify 
security vulnerabilities that would compromise the secure operation of the 
workstation on the computer network, 
10 the network service, responsive to receiving the workstation 

security credentials from the network assessment service via the computer, operative 
to determine whether tiie workstation should be granted access to a software service 
of the network based on the workstation security credentials and the user credentials. 

15 22. The network security system recited by Claim 21 furfh«: 

comprising a workstation security policy at the network server, the workstation 
security policy operative to define security requirements for secure operation of the 
workstation on the computer networic. 

20 23. The network security system recited by Claim 22, wherein the 

network service is further operative to compare the workstation security credentials to 
the workstation security policy to determine whether the workstation should be 
granted access to the software service, the network service operative to authorize 
access to the software service by the workstation if the workstation security 

25 credentials and the user credentials satisfy the workstation security policy. 

24. The network security system recited by Claim 21, wherein the 
network SCTvice is operative to transmit to the network assessment service via the 
computer network a request to complete the vuhierability assessment of the 
30 workstation in response to recdvmg a request for the software service from the 
workstation. 
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25. A computer-implemeated process for ' aafheaticating a 
workstation requesting a network service from a network server via a computer 
network, comprising the steps: 

issuing a request for a log-in page to a network server from a 
browser operating on the workstation; 

transmitting the log-in page, an authentication plug-in, and a 
workstation policy from the network server to the workstation via the computer 
network, the authentication plug-in installable within the browser and operative to 
generate workstation security credentials by completing a vulnerability assessment of 
the workstation to identify security vulnerabilities that would compromise the secure 
operation of the workstation on the computer network; 

comparing the woikstation security credentials to the 
workstation policy on the workstation to determine whether the woikstation should be 
granted access to a software service of the network. 
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3. Network Client transmits 
user and workstation credentials 
to Network Service as part of 
regular authentication process. 
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security policy to evaluate 
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access. Security policy 
may be stored on the 
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7, Network Service utilizes 
security policy to evaluate 
workstation credentials and 
determine type of access. 
Security policy may be stored 
on the Network Server or on 
Network Policy Server or 
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